The French Data Protection Authority, CNIL, issues guidance on credit card data in remote transactions:

  • Merchants who collect credit card detail to facilitate a transaction, need the consent of their customers to keep their bank details beyond such transaction, to facilitate their subsequent purchases.
  • This consent is not presumed and must take the form of an unambiguous act of will, for example by means of a checkbox (not pre-checked by default).
  • The acceptance of the general conditions of use or sale is not considered as a sufficient mechanism of the collection of the consent of the persons.
  • The e-merchant should integrate directly into the merchant site a simple way to withdraw, without charge, the consent given.
  • The credit card data can also be used in the fight against payment card fraud.
  • Merchants can rely on their legitimate interest to keep the credit card data of those of their customers who subscribe to a subscription in order to benefit, free or not, of additional services to facilitate their purchases.
  • When doing so merchants must (1) disclose retaining this data, (2) allow an opt out, (3) allow deletion and (4) implement appropriate security measures.

Details from CNIL.

A 50 Million Euro GDPR fine recently issued by French data protection authority CNIL provides actionable lessons for companies handling personal information for advertising purposes. First and foremost, refrain from block consents; state your data handling practices clearly:

  • make sure information you provide users is easily accessible
  • tell people why you process their information, for how long you keep it and the categories of it
  • put the information in one or limited locations
  • refrain from requiring multiple actions to access the necessary information
  • describe your purposes specifically, and clearly.

Vague statements like “any of the following purposes may apply” will not suffice. – when relying on consent:

  1. Provide clear disclosure in a centralized location. This is particularly important if the processing is complex, uses information from different sources or involved sensitive information
  2. Require action by the user to signify consent ( no pre-checked checkboxes).
  3. Use separate call outs for each purposes. Statements like: “I accept that my information is used as described above ” may not suffice.

Details from CNIL.

More here from Law360.

Sharing personal data with data brokers or other businesses partners? French regulator, CNIL, has new guidelines for you to follow.

Highlights include:

  • The individual whose data is shared must give consent before any transmission to partners.
  • The individual must be able to identify the partners, recipients of the data, from the form from which the data collection is carried out.
    • You can either:
    • Present a regularly updated exhaustive list which is visible directly on the form; or if too long
    • Present a link referring to the list as well as the privacy policies of the partners.
  • The individual must be informed of changes in the list of partners and especially the arrival of new partners.
  • The consent collected by the company collecting the data on behalf of its partners is only valid for them. The partners can not send the information received to their own partners, without again collecting informed consent of the individuals.
  • Partners must indicate, at their first communication, how to exercise their rights, in particular of opposition, as well as the source from which the data used come from.

Details here from CNIL.